llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-clang Author: None (LoboQ1ng) <details> <summary>Changes</summary> This patch improves MallocChecker to detect use-after-free bugs when a freed structure's field is passed by address (e.g., `&ptr->field`). Previously, MallocChecker would miss such cases, as it only checked the top-level symbol of argument values. This patch analyzes the base region of arguments and extracts the symbolic region (if any), allowing UAF detection even for field address expressions. --- Full diff: https://github.com/llvm/llvm-project/pull/152462.diff 1 Files Affected: - (modified) clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp (+8-2) ``````````diff diff --git a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp index 369d6194dbb65..ad1d20779f384 100644 --- a/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp +++ b/clang/lib/StaticAnalyzer/Checkers/MallocChecker.cpp @@ -3156,8 +3156,14 @@ void MallocChecker::checkPreCall(const CallEvent &Call, for (unsigned I = 0, E = Call.getNumArgs(); I != E; ++I) { SVal ArgSVal = Call.getArgSVal(I); if (isa<Loc>(ArgSVal)) { - SymbolRef Sym = ArgSVal.getAsSymbol(); - if (!Sym) + const MemRegion *MR = ArgSVal.getAsRegion(); + if (!MR) + continue; + const MemRegion *BaseRegion = MR->getBaseRegion(); + SymbolRef Sym = nullptr; + if (const auto *SR = dyn_cast<SymbolicRegion>(BaseRegion)) + Sym = SR->getSymbol(); + if (!Sym) continue; if (checkUseAfterFree(Sym, C, Call.getArgExpr(I))) return; `````````` </details> https://github.com/llvm/llvm-project/pull/152462 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
